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We study in depth the class of games with opacity condition, which are two-player games with 
imperfect information in which one of the players only has imperfect information, and where the 
winning condition relies on the information he has along the play. Those games are relevant for 
security aspects of computing systems: a play is opaque whenever the player who has imperfect 
information never "knows" for sure that the current position is one of the distinguished "secret" 
positions. We study the problems of deciding the existence of a winning strategy for each player, 
and we call them the opacity-violate problem and the opacity-guarantee problem. Focusing on the 
player with perfect information is new in the field of games with imperfect-information because when 
considering classical winning conditions it amounts to solving the underlying perfect-information 
game. We establish the EXPTIME-completeness of both above-mentioned problems, showing that 
our winning condition brings a gap of complexity for the player with perfect information, and we 
exhibit the relevant opacity-verify problem, which noticeably generalizes approaches considered in 
the literature for opacity analysis in discrete-event systems. In the case of blindfold games, this 
problem relates to the two initial ones, yielding the determinacy of blindfold games with opacity 
condition and the PSPACE-completeness of the three problems. 



1 Introduction 

We described in |[T4l a class of two-player games with imperfect information that we called games with 
opacity condition. In these games, the players are Robert (for "robber") and Gerald (for "guardian"). 
Robert has imperfect information as opposed to Gerald who has perfect information. This asymmetric 
setting is very relevant for the verification of open systems and all the more for security aspects as it 
captures the intuitive picture of an attacker having only a partial information against a system. The game 
model we consider relies on the classical imperfect-information arenas, as defined in e.g. |[T6l [T|, but 
it is equipped with a subset of positions that denote confidential information and that we call secrets. 
We focus on the opportunity for Robert to discover some secret, by introducing the property of opacity: 
a play is opaque if, at each step of the (infinite) play, the set of positions that are considered possible 
by Robert does not consist of secrets only. In games with opacity condition, the opacity property is the 
winning condition for Gerald. Informally, Robert tries to force the game to reach some point when he 
knows for sure that the current position is a secret, whereas Gerald tries to keep Robert under uncertainty. 
Note that this winning condition can be seen as a particular epistemic temporal logic statement [ 10 ] on an 
imperfect information arena seen as an epistemic temporal model : this ETL formula is G->KR b ert secret. 
However, to our knowledge the complexity of deciding the existence of winning strategies for such 
winning conditions has never been studied in depth. 

Our claim that games with opacity condition are natural and adequate models for practical applica- 
tions is all the more sustained by very recent contributions of the literature Ifl7l l8l. These results mainly 
arise from the analysis of discrete-event systems and their theory of control, and our games embed some 
problems studied in this domain, such as the verification of opacity. Our abstract setting provided by 
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the game-theoretical paradigm enables us to focus on essential aspects of the topic, such as synthesizing 
strategies, and to circumvent the complexity of the problems. 

Not surprisingly, games with opacity condition are not determined lfl4l . We therefore introduced two 
dual problems: the opacity-violate problem and the opacity-guarantee problem, that consist of deciding 
the existence of a winning strategy, respectively for Robert and for Gerald. The opacity-violate problem 
generalizes the strategy problem in reachability games with imperfect information lH6l . and so does 
the opacity-guarantee problem, but putting the emphasize on the player who has perfect information 
and has the complementary safety objective. The latter is, to our knowledge, never been done, for the 
following reason. In two-player games with imperfect information, when considering the existence of 
winning strategies for a player, one can equivalently consider that the opponent has perfect information 
(see COO). Thus, when dealing with omega-regular winning conditions in arenas where the imperfect 
information is asymmetric, focusing on the player with perfect information would amount to solve the 
underlying perfect-information game. Our case is different : when considering Gerald's point of view, 
we could indeed equivalently consider that Robert plays with perfect information too, but we cannot 
give up the imperfect-information setting because the definition of the winning condition itself relies on 
Robert's information along the play. 

Additionally to the two aforementioned problems, we consider the opacity -verify problem as an inter- 
mediate problem: the question here is to decide whether in a game with opacity condition, all strategies of 
Gerald are winning. The choice of considering this apparently weird problem is well motivated. Firstly, 
it is equivalent both to the opacity-guarantee problem and to the complementary of the opacity-violate 
problem for blindfold games; an immediate consequence is the determinacy of blindfold games with 
opacity condition. And secondly, it enables us to embed opacity issues in discrete-event systems with a 
strong language-theoretic feature, addressed earlier in the literature lTT7l l8l. 

In this contribution, we consider the three problems of opacity-violate, opacity-guarantee and opacity- 
verify, keeping in mind that our main attention turns to the opacity-guarantee problem. It is not hard to 
establish the EXPTIME-completeness of the opacity- violate problem, from a power-set construction in- 
spired by [ 16] that amounts to solving a reachability perfect-information game, and from the fact that it 
generalizes imperfect-information games with reachability condition, known to be EXPTIME-complete 
|[T6l . Regarding the opacity-guarantee problem, we rely on an earlier power-set construction to reduce 
this problem to a perfect-information game [14], yielding EXPTIME membership. The EXPTIME- 
hardness result for this problem, where the main player (Gerald) has perfect information, was unknown 
until now and relies on a reduction from the empty input string acceptance problem for linearly-bounded 
alternating Turing machines. The key point is a pioneer encoding of configurations by information sets. 
Concerning the opacity-verify problem, we prove its PSPACE-completeness, which for the lower bound 
relies on a reduction similar to the one in [6] from the universality problem for nondeterministic automata 
ifTTTl . Interestingly, the opacity- verify problem relates the two other problems for the particular case of 
blindfold games, in such a way that those games are determined. We also show that the blindfold setting 
embraces the language-theoretic approaches for opacity analysis in discrete-event systems lfT7l l8"l. 

The paper is organized as follows. In Section |2j we define games with opacity condition. In Sec- 
tion [3l we present the opacity-guarantee problem and the opacity- violate problem, and we establish their 
EXPTIME complexity. We first recall the power-set constructions from [14] yielding the upper bounds, 
then we show the matching lower bounds. In Section |4j we consider the opacity-verify problem for 
blindfold games. In this setting, we establish the determinacy and the PSPACE completeness of the three 
opacity problems. In Section [5] we relate the opacity- verify problem to the language opacity verifica- 
tion of ifTTl l8l. In Section [6l we discuss complexity aspects of problems regarding Gerald's winning 
strategies. We conclude in Section |7]by giving some ideas on our current and future work. 
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2 Games with opacity condition 

A game with opacity condition over the alphabet £ and the set of observations T is an imperfect infor- 
mation game structure A = (V, A,obs,act,vo,S) where V is a finite set of positions, A : V x £ — > 2 V \% 
is a transition function, obs : V — )• T is an observation function, and act : T — )• 2 E \0 assigns to each ob- 
servation a non-empty set of available actions, so that available actions are identical for observationally 
equivalent positions. Finally, vo is the initial position, and the additional element S C V in the structure 
A is a finite set of secret positions. 

In a game A = (V,A,obs,act,vo,5), the players are Gerald and Robert. A play is an infinite sequence 
of rounds, and in each round i > 1, Robert chooses an action a,- G act(obs(v,_i)), Gerald chooses the new 
position Vj G A(v;_i,a,-), and Robert observes obs(v ; ). A play in A is an infinite sequence p = voa\V\ . . . G 
vo(LV) a that results from an interaction of Robert and Gerald in this game. 

We now extend obs to plays by letting obs(voaiVi<22V2 • ■ •) := vo a \Y\a2Yi ■ ■ ■ with y = obs(v ( ) for 
each i > 1. The imperfect information setting leads Robert to partially observe a play p as obs(p). Note 
that since the initial position is a part of the description of the arena, it is known by Robert. 

For every natural number k G N and play p, we denote by p k G vo(LV) k the k-th prefix of p, defined 
by p k := vo^i vi . . . atVk, with the convention that p° = vo- We denote by p + an arbitrary prefix of p. 

Since the information revealed to Robert is based on observations, a strategy of Robert in A is 
a mapping of the form a : vo(rr)* — > L such that for any play prefix p k ending in observation y, 
a(obs(p k )) G act(y). On the contrary Gerald has perfect information on how the play progresses, so 
a strategy of Gerald in A is a mapping of the form j8 : vq(LV)*L — > V such that for any play prefix p k 
ending in position v, for all a in act(obs(v)), f}(p k a) G A(v,a). 

Given strategies a and j3 of Robert and of Gerald respectively, we say that a play p = vo«iVi ... is 
induced by aif\/k> 1, at = a(obs(p k ~ 1 )), and p is induced by j8 if \/k > 1, vt = j8(p^ 1 a^). We also 
note cCfi the only play induced by a and by p\ 

In the following, an observation y might be interpreted as the set of positions it denotes, namely 
obs _1 (7). 

Let us fix a play p = VQa\V\a2V2 ■ ■ ■■ Note that every &-fh prefix of p characterizes a unique informa- 
tion set I(p k ) C V consisting of the set of positions that Robert considers possible in the game after k 
rounds. Formally, information sets can be defined inductively as follows. 

Definition 1 For every play p = voa\v\a2V2 we let I(p°) := {vo} and I(p k+l ) := A(I(p k ),ak+\) n 
obs(v k+ i), for k£ N. 

We now define the opacity property: 
Definition 2 For a given set of secret positions S C V, a play p satisfies the opacity property for S, or is 
5-opaque, if: 

\/k G N,I(p k ) ^ S 

Informally, the opacity condition means that Robert never knows with certainty that the current 
position is a secret, because there is always one of the positions he considers possible that is not a 
secret. In a game with opacity condition, the opacity property is the winning condition for Gerald, i.e 
5-opaque plays are winning for Gerald, and the other ones are winning for Robert. 

Remark 1 The definition of the arena and of the opacity condition are slightly different from the ones 
in H14\l : originally Robert's aim was to reach a singleton information set. We introduce here the set of 
secret positions and define the winning condition accordingly because it makes these games closer to the 
intuition behind opacity. Anyway the results established in H14\l still hold in this setting, and adapting 
the proofs is straightforward. 
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3 Opacity-violate and opacity-guarantee problems 

It is well known that perfect-information games are determined [13], and that imperfect-information 
games are not determined in general. We recall that a game is determined if each position is winning for 
one of the two players. 

We proved the following result in lPT4l : 

Theorem 1 Games with opacity condition are not determined in general. 

This result leads to introduce two dual problems. We remind that a (resp. j8) stands for a strategy of 
Robert (resp. Gerald). We first consider Robert's point of view. 

Definition 3 Given a game with opacity condition A = (V,A,obs,act, vo,5), the opacity- violate problem 
is to decide whether the following property holds: 

3a, Vj8, oCfi is not S-opaque 

We now consider Gerald's dual point of view. 

Definition 4 Given a game with opacity condition A = (y,A,obs,act,vo,S), the opacity-guarantee prob- 
lem is to decide whether the following property holds: 

3/3, Va, oCP is S-opaque 

Remark 2 It is important to comment on Definition^regarding the universal quantification over Robert's 
strategies. As defined, this quantification ranges over observation based strategies only. The opacity- 
guarantee problem would however be equivalent if this quantification ranged over the wider set of perfect 
information strategies, as already argumented by Reifin M6\l : along a play, Robert's possible behaviors 
are not restricted by observation-based strategies. 

In the rest of this section we prove the following result: 

Theorem 2 The opacity-violate and opacity-guarantee problems are EXPTIME-complete. 

In the following, we adopt the classic convention that the size of a game is the size of its arena, i.e. 
the number of positions. 

3.1 Power-set constructions for upper bounds 

We recall the power-set constructions of [ 14] that lead to equivalently solve perfect information games. 

We first address the opacity-violate problem. Since we consider the point of view of the player 
with imperfect information, this problem is close to problems usually studied in games with imperfect 
information. This is why we can easily rely on previous work on the topic to study its complexity. We 
remind the construction from frffl . which is strongly inspired from the one described by Reif in |[T6l : 

Let A = (V, A,obs,act,vo,5) be a game with opacity condition. We define a reachability perfect- 
information game A, where the players are Roberta and SuperGeraldineQ. A position of A is either I 
where 7 is a reachable information set in A - it is a position of Roberta -, or (I, a) where 7 is a reachable 
information set in A and a € act(7) H - it is a position of SuperGeraldine. 

1 We use the superlative "Super" here because in general the winning strategies of SuperGeraldine do not reflect any winning 
strategy of Gerald in A. She has "more power" than Gerald. 

2 act(/) makes sense because an information set is always a subset of a single observation. 
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The game is played as follows. It starts in the initial position Io := {vo} of Roberta. In a position /, 
Roberta chooses a E act(7) and moves to position (I, a). Next, let O be the set of reachable observations 
from I by a. SuperGeraldine chooses a next information set A(I,a) n 7, where 7 ranges over O. In 
A, a play 7o(/o,«l)7i {h,d-2) ■ ■ ■ is winning for Roberta if it reaches a position of the form I with / C S, 
otherwise it is winning for SuperGeraldine. 

Theorem 3 H14\l Robert has a winning strategy in A, if and only if, Roberta has a winning strategy in 
the perfect-information game A. 

Due to nondeterminacy (Theorem [D, the opacity-guarantee problem has to be studied on its own. 
We remind the power-set construction for the opacity-guarantee problem described in |[T4l . that leads 
to a safety perfect-information game A. In this game, unlike in A, we maintain an extra information 
on how Gerald is playing in A. The players in A are SuperRoberta^ and Geraldine. A position in A 
is either of the form (I,v) where I is a reachable information set in A, and v E I - it is a position of 
SuperRoberta -, or of the form (I,v,a) where I is a reachable information set in A, v E I, and a E act (7) 
- it is a position of Geraldine. The initial position is ({vo},vo). In position (/,v), SuperRoberta chooses 
a E act(7), and moves to (I,v,a). In position (I,v,a), Geraldine chooses V E A(v,a) and moves to (/', v') 
where /' = A(/,a) nobs(v'). In A, a play (7o,vo)(7o,vo,ai)(/i,vi) ... is winning for SuperRoberta if it 
reaches a position (I, v) with / C S, otherwise it is winning for Geraldine. 

Theorem 4 H14\l Gerald has a winning strategy in A, if and only if Geraldine has a winning strategy in 
the perfect-information game A. 

It is well known that perfect-information reachability games and perfect-information safety games are 
solvable in PTIME. Since the constructions of A and A involve a single exponential blow-up, it follows 
from Theorems |3]and|4]that the opacity- violate and opacity-guarantee problems are in EXPTIME. 

3.2 Matching lower bounds 

We prove here that the opacity- violate and the opacity-guarantee problems are EXPTIME-hard. 

First, EXPTIME-hardness of the opacity-violate problem is proved by a reduction from reachability 
imperfect-information games of [16|. Recall that a reachability imperfect-information game is a game 
of imperfect information A = (V,F, A,obs,act,vo) over £ and T with a distinguished set of target obser- 
vations FCT that Robert aims at reaching. 

Theorem 5 H16\l Solving reachability imperfect-information games is EXPTlME-complete. 

The reduction is straightforward. Let A = (V,F, A,obs,act, vq) be a reachability imperfect-information 
game over £ and T. We define the game with opacity condition A' := (V,A,obs,act,vo,5) over £ and T, 
where S = \J reF 7. It is easy to see that solving the reachability imperfect-information game A is equiv- 
alent to solving the opacity-violate problem in the game A' : a winning strategy for Robert to reach F in 
A is also a winning strategy for Robert in A', and vice versa (remember that the information set is always 
a subset of the current observation). 

We now show that the opacity-guarantee problem is EXPTIME-hard by a polynomial-time reduction 
from the acceptance problem of the empty input string for linearly -bounded alternating Turing Machines 
(TM) with a binary branching degree, which is EXPTIME-complete @. The key idea is to encode TM 
configurations by the information sets. 

3 we use the superlative "Super" as, contrary to what Roberta could do in the game A, SuperRoberta can take advantage of 
the extra information. 
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In the rest of this section, we fix such a TM machine = (B,Q = QyU Q^U {q acc ,q re j},qo,8), 
where B is the input alphabet, (resp. <2v) i s the set of existential (resp. universal) states, qo G Q is the 
initial state, q acc ^QyUQ^ is the (terminal) accepting state, q re j ^ <2vU<2a is the (terminal) rejecting state, 
and 8 : (Qy U gg) x B — >• (Qx B x {+1,-1}) x(gxfix {+1,-1}) is the transition function. In each 
non-terminal step (i.e., the current state is in QyU Q3), ^ overwrites the tape cell being scanned, and the 
tape head moves one position to the left (—1) or right (+1). Let n be the size of ^# and [n] = {1, . . . ,n}. 
We assume that n > 1. 

Since is linearly bounded, we can assume that jft uses exactly n tape cells when started on 
the empty input string e. Hence, a configuration (of j$ over e) is a word C = w\ (q,b)w2 G B* ■ (Q x 
B) B* of length exactly n denoting that the tape content is w\bw2, the current state is q, and the tape 
head is at position |wi| + 1. The initial configuration C, ra ; f is given by (qo,^.)^" , where „ is the blank 
symbol. Moreover, without loss of generality, we assume that when started on C imf , no matter what 
are the universal and existential choices, ^# always halts by reaching a terminal configuration C, i.e. 
such that the associated state, written q(C), is in {q aC c,qrej} (this assumption is standard, see ||5]). For a 
non-terminal configuration C = w\ (q,b)w% (i.e. such that q G Q3 U Qy), we denote by succi(C) (resp. 
succr{C)) the successor of C obtained by choosing the left (resp. the right) triple in 8(q,b). An accepting 
computation tree of .dt over £ is a finite tree T whose nodes are labeled by configurations and such that 
the root is labeled by C,„„, the leaves are labeled by accepting configurations C, i.e. q(C) = q acc , each 
internal node x is labeled by a non-terminal configuration C, and: (1) if C is existential (i.e., q(C) £ Q3), 
then x has exactly one child whose label is one of the two successors of C, and (2) if C is universal (i.e., 
q(C) G <2vX then x has exactly two children corresponding to the two successors succl(C) and succr{C) 
of C. We construct a game with opacity condition A ^ such that Gerald has a winning strategy in Aj( 
if, and only if, there is an accepting computation tree of ^ over e (Theorem [6]). Hence, EXPTIME- 
hardness of the opacity-guarantee problem follows. 

In the game Aj?, the tape content can be retrieved from the current information set (of size n), and 
the remaining information about the current configuration is available in each position of the information 
set. A step of the machine is simulated by two rounds of the game: in the first round, depending on 
whether the current state is universal or existential, Robert simulates the universal choice of the next 
configuration or Gerald simulates the existential choice, and the second round simulates the updating of 
the configuration of the machine. 

Here, we describe the construction of the game A j/ = (V, A,obs,act,vo,S). 

1. V = {vo,safeL,safeR,safe c hoice}^-> ((H xfi)x ([n] x Qx B) x {L,R, choice}). 

2. obs : V ->• T = {70, Ychoice, Yl, Yr} is defined by 



if v = vq 



obs(v) 



= < 



Yl 
Yr 



if VG {safe L }u(([n] x B) x ([n] xQxB)x {L}) 
if v G {safe R } U (([«] x B) x ([n] xQxB)x {R}) 



, Ychoice 



otherwise. 



3. act :T^£ = {V L ,V R ,3}U5is defined by 



act (7) 




if 7= 70 

if 7 = Ychoice 

otherwise. 



4. S = ([n] x B) x ([n] x {q re j} x B) x {choice}. 
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We delay the formal definition of A : V x E — > 2 V \% after informally describing the running of the game. 
A configuration C is encoded by an information set If(C) of the form 

{((lM),(iMQM),f),---,((n,b n ),(iMC),b i ),f)} 

where / G {L,R, choice}, i is the position of the tape cell of C being scanned, and for each 1 < j < n, bj 
is the content of the j-th cell. For each / G {L,R, choice}, //(C) is called the f-code of C, and during a 
play, the current information set is of the form I/(C) for some reachable configuration C of the machine, 
unless Robert happened to have made some deviating move which does not simulate the dynamics of jtft . 
We capture this deviation by making Robert lose: technically, the play enters one of the safe positions 
safe^, safeR, or safe c hoke that do not belong to the set S of secrets; then, once a safe position is reached, 
only other safe positions can be reached, yielding Gerald to win, whatever Robert does in the future. 
Note that for each / G {L,R}, I /(C) does not violate the opacity condition for S, and l c hoice{C) violates 
the opacity condition for S if, and only if, C is rejecting (i.e. q(C) = q re j)- For all q G Q3 U Qy and b G B, 
we denote by d^q^b) (resp. 8]{(q,b)) the left (resp. right) triple in 8(q,b). The behavior of is as 
follows: 

First round: From the initial position vo, whatever Robert and Gerald choose, the information set at the 
end of the first round is I c hoice(Cinit), the choice-code of the initial configuration. 

The current information set is I c hoke(C) for some terminal configuration C: If C is rejecting, then 
1 choice (C) C S and Gerald loses. Otherwise, I c hoice (C) % S and independently of the move of Robert, 
the play reaches a safe position safedir for some dir G {L,R} and Gerald wins. 

As we shall see, there remain only two cases, which in turn simulate a complete step of 

The current information set is I c hoice (C) far some non-terminal configuration C: 

Let v = ((k,bk),(i,q(C),bi), choice) be the current position (corresponding to some position in 
lchoice{C))- From obs(v), Robert can only choose actions in {3,Vl, Mr}. There are again two cases. 

C is existential (note that this information is contained in the position v). Moves Ml and Mr of 
Robert are deviating and the play reaches one of the safe positions safei or safeR, thus 
Gerald wins. If instead Robert's move is 3, the following move dir G {L,R} of Gerald aims 
at simulating the existential choice of ^# in the configuration configuration C. The reached 
position is then V = ((k,bk), (i,q(C) ,b{) ,dir). 

C is universal. The move 3 of Robert is deviating and the following move of Gerald can lead only 
to safei or safeR, which makes him win. Instead Robert's move V^> G {Vl,Vr} simulates 
the universal choice of ^# in the configuration C. Next, Gerald's move is unique and leads 
to the position v' = ((k,bk),(i,q(C),bi),dir). 

Whatever the type of the configuration C was, by letting the observation classes split positions 
with different values of dir (see the definition of obs above), the information set after the move of 
Gerald becomes /^(C), unless Robert's move was deviating. 

The current information set is Idir{C) with dir G {L,R},for some non-terminal configuration C: 
Let the current position be v = ((k,bk), (i,q(C),bi),dir) G Idir{C), and let 

§dir{q{C),bi) = (qdir,bdi r ,6dir)- The value j = i + Qdir represents the position of the cell being 
scanned in the next configuration succdir (C) ; note that the value j is easily computable from the 
current position v. In order however to complete the step of the machine and to reach the informa- 
tion set l c hoice{succdir{C)), the value of bj must be provided by the game. Therefore, we let bj be 
the only non-deviating move of Robert from position v G Idir{C), among the possible moves in B. 



94 



Opacity Issues in Games with Imperfect Information 



From position v = ((k,bk), (i,q(C),bi),dir), the above behavior is implemented as follows. Let b 
be the action chosen by Robert. If k £ {i,j}, tape cell k is unchanged by the step of the machine, 
hence the only possible move of Gerald leads to ((k,bt), (j, qdir, b), choice). If k = i, tape cell i is 
overwritten, hence the move of Gerald is unique and leads to ((i,bdir) , (j ,1dir,b) , choice). Finally, 
if k = j, there are two cases. If b = bj, then Gerald can only move to ((j,bj), (j,qdi n bj), choice) 
which updates the data for the next configuration succdir (C) , otherwise the move b bj) of Robert 
is deviating (and the play reaches a safe position). 

We can now formally define the moves in A ^, by letting A : V x £ — > 2 y \0 be: 
Case v = vo: 

A(y,a) = {((h, J), (I, qo, J), choice) \ h£ [n]} 

Case v = safe choice : 

A(v,a) = {safedir \ dir G {L,R}} 
Case v = safedi,-, where dir G {L,R}: 

A(v,a) = {safe c hoice} 

Case v = ((h,b),(i,q,b r ), choice): 



A(y,a) 



{((h,b),(i,q,b'),dir) \ dir G {L,R}} if a = 3 and q G <2a 

ifa = V L and^rG Gv 
{((h,b),(i,q,b'),R)} ifa = V R and^G g v 

{safedi,- I <^ ir S {L,/?}} otherwise 



Case v = ((h,b),(i,q,b'),dir), where dir G {L,/?}, ^ {<?,-«/, <? a c C }, and 8 d i r {q,b') = (qdir,bdir, Qdh 
A(v,a) 



{((h,b),(i + d d ir,qdir, a), choice)} if a G B and /i ^ {/,/' + Qdir} 

{((h, bdir ) , ( i + Qdir , qdir , «) , c/iojce) } if a G B and /j = j 

{((h,b), (i + ddir, qdir, b), choice)} if a = b and /z = / + A > 

k {ra/ecfto,-^} otherwise 



Case v = ((h,b),(i,q,b'),dir), where dir G and <? G {q r ej,qacc }'■ 

A(v,a) = {((h,b),(i,q,b f ), choice)} 
This achieves the construction of the game A j/ which satisfies the following result: 

Theorem 6 B2J There is an accepting computation tree of ^# over e if and only if there is a winning 
strategy of Gerald in the game A^. 

4 Blindfold games with opacity condition 

We recall that a game with imperfect information is blindfold if all positions have the same observation. 

Lemma 7 Let A = (V, A,obs,act,vo) be a blindfold game with imperfect information overLandT = {/}. 
For every play prefix p n = voa\V\ . . .a n v n , I(p n ) = A({vo},ai . . .a n ). 
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The proof is trivial, by applying the definition of the information set. 

In blindfold games Robert cannot base the choice of his actions on anything because he sees nothing 
of what Gerald does. So a strategy for Robert is just an infinite sequence of actions. More formally: 

Lemma 8 Let A = (V, A, obs , act, vo) be a blindfold game with imperfect information over £ and T = {/}, 
let a be a strategy for Robert, then there exists a\aia^ ... € E 60 such that for all strategies /3 and P' for 
Gerald, obs(cif)3) = obs(Gfj8') = voaija 2 y '. . . 

In the rest of this section we prove the following two theorems: 

Theorem 9 Blindfold games with opacity condition are determined. 

Theorem 10 For blindfold games with opacity condition, the opacity-guarantee problem and the opacity- 
violate problem are PSPACE-complete. 

Both theorems are proved by considering a third problem: the opacity-verify problem which ad- 
dresses the strong ability for Gerald to win the game. We define this problem and establish its PSPACE- 
completeness in the general setting of games with opacity condition and also in the particular case of 
blindfold games (Theorem (TT]). We finally compare it to the opacity- violate and opacity-guarantee prob- 
lems for blindfold games (Theorem [Pfli. 

Definition 5 Given a game with opacity condition A = (V,A,obs,act,vo,S), the opacity-verify problem 
is to decide whether the following property holds: 



If Property (Q} holds, any strategy /3 of Gerald is a winning-strategy. Otherwise, there exists a play in the 
game that is not S-opaque. 

Theorem 11 The opacity-verify problem is PSPACE-complete, even for blindfold games. 

For the PSPACE membership, we design an algorithm that decides whether there exists a losing play 
for Gerald, which is clearly equivalent to deciding whether there exists a strategy of Gerald that is not 
winning. The algorithm runs in NPSPACE, hence in PSPACE |[T8l . by nondeterministically choosing 
the moves for Robert and Gerald, and by updating the current information set of Robert at each round. 
Since information sets are subsets of the set of positions, if there are n positions, we need 0(n) space to 
run this algorithm. The PSPACE-hardness of the opacity-verify problem results from a reduction from 
the universality problem for a complete nondeterministic finite automaton (NFA), known to be PSPACE- 
complete [ 19]. This reduction was initially inspired by [7 1 but is in fact a variant of the one in 0. 

We recall that a NFA s/ = (<2,£, A, <2o, 2/) is a nondeterministic finite automaton with states Q, 
alphabet £, transition relation A : Q x £ — > 2@ and sets of (respectively) initial and accepting states <2o 
and Qf- A NFA s/ is complete if for every state q and letter a, A{q, a) / 0. The language J£(stf) C Z* of 
stf is the set of words w G £* such that A(<2o,w) n Qf ^ 0. The universality problem is to decide whether 
si accepts all possible finite words, i.e S£{si s ) = E*. 

Given a complete NFA si = (<2)E, A,<2o><2/)> define the blindfold game with opacity condition 
Ac/ = (GU {go}> A', obs, act, ^) over E and F = {7}, with qo ^ Q, as follows: 



V/3,Va, cCfi is S-opaque 



(1) 



S = Q\(QfU{q }) 



act(y) = E 



VqeQU{q },obs(q) = 7 
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Since, firstly, qo is not reachable after the first move, secondly, A'(q,a) = A(q,a) for q / q and 
finally, A'(qo,a) = Qo for all a, we obtain from lemma |7] the following corollary : 

Corollary 12 For each play prefix inA^ of the form p n = qoa\ . ..a n q n (n > I), I(p n ) = A(<2o,<32 • ••««)■ 

One may note that the aim of the initial position qo is to initialise Robert's information set to Qo at 
the end of the first round. 

Proposition 13 The NFA is universal if and only if in A^, every strategy of Gerald is winning. 

Proof We start with the right-left implication. Assume that every strategy is winning for Gerald. Take 
one strategy /3, and take a word w 6 £*. Consider a play p in which Robert's first moves form the 
sequence of actions aw, for some a in £, and Gerald follows strategy /3. This is possible because the 
underlying automaton is complete. Being p induced by the winning strategy j8, it is 5-opaque, hence in 
particular 7(p 1+ l w l) 5. By Corollary [121 we obtain : A(Qo,w) ^ 5, which implies that there exists a 
position q in A(<2o,w) that is in Qf, hence accepts w. srf is universal. 

For the other implication, suppose that srf is universal. Let /3 be a strategy of Gerald, and let p be 
a play induced by /3. We prove that p is 5-opaque. Let nSN. If n = 0, I(p n ) = {qo} ^ 5. If n > 0, 
there exists w in £* such that I(p n ) = A(Qo,w) (Corollary [P2"V Since £f is universal it accepts w, hence 
A(2o, w) n Q f / 0. So I(p") g 5, and this finishes the proof. □ 

Theorem 14 /« £/ze setting of blindfold games with opacity condition, the opacity-verify problem, the 
opacity-guarantee problem and the complementary of the opacity-violate problem are equivalent. 

Proof Let A = (V,A,obs,act, vq,S) be a blindfold game with opacity condition. It is clear that in gen- 
eral, 

Vj8, Va, oTfi is 5-opaque =^ 3/3, Va, oTp is 5-opaque 

We prove the converse in the case of blindfold games. Suppose that there exists a winning strategy j3 for 
Gerald. We prove that any strategy j8' is also winning. 

Let a be a strategy for Robert. Since A is blindfold, by Lemma[8]we have that obs(ofj3) = obs(Gfj3'), 
so for every n € N, /(of/?'") = I(oTp n ) £ S. 

So we have that the opacity-verify problem is equivalent to the opacity-guarantee problem in blind- 
fold games. We now show that the opacity-verify problem is also equivalent to the complementary of the 
opacity-violate problem (decide whether Va, 3/3 s.t. of/3 is 5-opaque holds). 

Once again one implication is trivial : 

V/3,Va, of/3 is 5-opaque =^ Va,3/3, of/3 is 5-opaque 

Now the other way. Suppose that for any strategy a there is a strategy /3 for Gerald such that a 
loses. Now take any couple of strategies (ot,/3'). We know that there exists a strategy /3 such that of/3 
is 5-opaque. But we also know (Lemma[8]) that obs(of/3) = obs(of/3') because the game is blindfold, so 
once again for every n E N, /(ofjS" 1 ) = 7(ofj8") ^5. Q 

The idea behind this theorem is that in blindfold games with opacity condition, the outcome of a play 
does not rely on Gerald's behaviour but only on what Robert plays. Indeed, since he observes nothing 
of what Gerald does, Robert's information set, and so the winning condition, are only determined by the 
series of actions he chooses. Thus, these games via a power-set construction can be seen as (reachability) 
one-player games: each position is a reachable information set I, at each step the unique player (Robert) 
chooses an action a £ act (I), where I is the current position, and moves to position A(I,a). Therefore, in 
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blindfold games with opacity condition, whether Robert has a winning strategy (i.e a winning sequence 
of actions), or Gerald wins whatever he does. 

The determinacy of blindfold games with opacity condition (Theorem [9]> is an immediate corollary 
of the above Theorem [T4l Also Theorem [TOlresults from Theorems [141 and ITTI 

5 Related work 

Opacity has mostly been studied in the framework of discrete-event systems and their theory of control 
( |[T7l HI). It is both interesting and important to know to what extent the classical problems in this field 
can be embedded into our games. We first describe the discrete-event system setting, next we define the 
notion of opacity in this framework. We finally propose a translation from the verification of opacity in 
this setting to the opacity-verify problem in games with opacity condition. 

First we recall that a a deterministic finite automaton (DFA) is a NFA s/ = (Q,L, 8,qo, Qf) but with 
a unique initial state qo and in which the transition relation 5 : Q x £ — > 2@ satisfies \S(q,a)\ < 1 for all 
states q and input symbols a. 

The problem of opacity is defined in [8 ] with regards to a LTS G (labelled transition system, i.e a 
DFA without accepting states) and a confidential predicate over execution traces of G, representable 
by a regular language Jz?^ C E* where £ is the set of events of the transition system. For convenience, we 
equivalently state it on a DFA s/g representing the transition system together with the secret predicate. 
The automaton si^} is simply the synchronized product of G with some complete DFA accepting 
We denote by ^(s/) C £* the set of execution traces of an automaton si, and by «Sf (si) the language 
accepted by si, so we have that &{sf%) = ST{G) and £?(si£) = 2f{G) n J£$. From now on, for a DFA 
si, a state q and w 6 S~{si), S(q,w) shall denote the only state it contains. 

We consider a subset of events I„CI which denotes the observation capabilities of a potential 
attacker of the system, and we let Pz a be the projection function from £* to £*. Two words w and w' are 
observationally equivalent if Pz a {w) = Pz a {w ! ). We denote by [w] a = P£ (Pz a (w)) the set of words in £* 
that are observationally equivalent to the word w with regard to L a . 

Definition 6 is opaque w.r.t. 2?{G) and E a if 

VwG ?r{G)\w\ a C\^(G)^^ 

This means that Jzf^ is opaque w.r.t. ^(G) and L a if, and only if, whenever an execution trace 
of G verifies the confidential predicate (j) there exists another possible execution trace observationally 
equivalent that does not verify . 

We take an instance of the opacity verification problem, s/q = (<2,£, 8,qQ,Qf), and we describe the 
construction of the game with opacity condition such that the following holds. 

Theorem 15 Verifying that is opaque w.r.t S?{G) and Z a is equivalent to deciding the opacity-verify 
problem in A^. 

The construction starts from s/£ where transitions labelled by events in l\L a are turned into £- 
transitions. Then we remove those £-transitions as described in [11] by taking the £-closure of the 
transition function, and we obtain the £-free nondeterministic finite automaton s/ e = (Q,L a ,A e ,QQ,Qf). 

In this automaton, transitions are all labelled by observable events. One should think of the nonde- 
terminism in this automaton as the uncertainty the attacker has concerning the behaviour of the system. 
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More precisely, she does not know when an observable event is triggered whether the system takes "in- 
visible" transitions or not, may it be before, after, or both before and after the observable one. 
We need the following lemma, which is a mere consequence of the construction : 



We can now define the game A G = (V,A,obs,act,vo,S) over £' = {y'} and T = {y x \ x G T a } U {y e }: 



Remark 3 Without loss of generality we can assume that in every state q of stf e there exists an event y 
in H a such that A e (q,y) is not empty. So in every position (q,x) in V, A((q,x),y/) is not empty, and the 
game can always continue. 

In this game, Robert is passive. He only observes Gerald, who simulates the system G. If the game 
is in position (q,x), it represents that we are in state q in the system G, and that the last visible event 
was x (if x = £, no observable event happened yet). Robert observes y x , i.e the only information he gains 
during a play is the sequence of visible events. When Gerald plays, he chooses a visible event y and a 
state reachable from q through y in £/ e , which can be seen as choosing as many invisible transitions in G 
as he wishes, plus one visible amongst them, y. We shall note a^j the only possible strategy for Robert, 
which is to always play y/. 

Vi n it is the initial position, that can never be reached after the first move. It is used to initialize Robert's 
information set to Qq x {e} (these are the only reachable positions from v; m - f , and they have the same 
observation, y e ). This represents the set of states in G that are reachable before any observable transition 
is taken. 

We start the proof of Theorem [l5]by establishing this central lemma. 

Lemma 17 Let p" +1 = Vi„jt\/(qo,£)\/(qi,xi) . . . \Z(q n ,x n ) be a prefix of a play, with n > 0. Then 
{q | (q,x n ) G 7(p" +1 )} = A e (Qf ) ,xi . . .x n ) and for all (q,x) in I(p n+l ), x = x n . 

Proof The latter fact is obvious, from the definition of observations. Considering the former fact, we 
prove it by induction on n. 



n = 1 : /(pi) = A({v init }^)n 7e = {(qo,e) | q G Q E }, so {«? | (q,e) G /(p 1 )} = Q% = A e (Q e ,s) 



Lemma 16 



Vw G L* a ,A e (Qo,w) = {8(q$,w') | w' G [w] a D ST[G)} 




• y{q,x) G V, obs((q,x)) = y x , and obs(v ;mV ) = y e 

• Vv G V, act(v) = W} 

• S = {(q/,x) | q f G Q f ,x G L a U {e}} and 



V0 — Vi n it 



n + l: 



{q\(q,x n+l )Gl( P n+2 )} 



{q | (q,Xn+i) G A(/(p" +1 ),- v /)nobs((^„ + i,x„ + i))} 

{q\(.q,x n+ i)€A(l(p"+ l ),S)} 

{q | 3(q',x n ) G I(p n+1 ),q G A e (q',x n+l )} 

{q | 3q' G A e (Q e 0l x\ . . .x n ),q G A £ (q',x n+[ )} 

A e (Ql,xi...x n+ i) 



□ 
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We move on to the proof of Theorem [15] Suppose that every strategy j8 is winning for Gerald. We 
prove that 5£§ is opaque w.r.t 8?{G) and E a . Take a word w in 3F{G). There exists a prefix of a play 
p n+l =Vinit\/{qQ,£)y/(qi,x\)...y/(q n ,Xn) such that jci .. .x n = Pr, a {w). So there exists a strategy j8 such 
that a^p n+l = p n+l . With lemma W\ and [16] we have that {q \ (q,x n ) G 7(p' ,+1 )} = {5(^,w) | w G 
[jci . . .x n ] Q n ^(G)}. Since j8 is winning, {g | (q,x n ) G 7(p' ,+1 )} ^ <2/, so there exists w' in [;q . . .;t„] a n 
£T(G) = [w] a n ^(G) such that 8{q%,W) $ Q f . This implies that [w} a n ^(G) £ j£f # . 

Now suppose that is opaque w.r.t 3~{G) and take j8 a strategy for Gerald in A^, we prove 
that j8 is winning. Let pp = CC^PfS be the only possible play induced by j8. Take a prefix p^ +1 = 

v,mr\/(<7o,£)\/(<7i,*i) • • -\/{qn,Xn) of this play. By Lemma [JT] and [H again, {q \ (q,x») G I{p n p +l )} = 
{8(qQ , w) | w G [xi . . .x„] a n ^(G)}. Since an information set is never empty, there exists win [x\ . . .x n ] a D 
■^~{G), and because Jzf0 is opaque w.r.t ^(G), [x\ . ..x n ] a n£?(G) J^^. So there exists w' in [x\ . . .x„] a n 
2F{G) such that ,w') = q^ Qf-, hence (<7,x„) ^ 5 and /(p^) ^ S. j8 is winning. 

6 Discussion on complexity 

Solving safety games with perfect-information is in PTIME, and solving parity games with perfect infor- 
mation is known to be inNPHco-NP [ 12 ]. However we have seen that deciding whether Gerald, who has 
perfect-information, has a winning strategy in a game with opacity condition, is EXPTIME-complete, 
even if we let Robert play with perfect-information (in the sense that his strategies are based on actual 
prefixes of plays instead of their observation). So the gap between deciding the existence of a winning 
strategy for a player in perfect-information games and for Gerald in a game with opacity condition does 
not come from the fact that Robert has imperfect information, but rather from the nature of the winning 
condition itself, which is based on the notion of information set, and forces Gerald to keep track of what 
Robert's information set along the game is. 

Similarly, verifying that a finite-state strategy is winning in a safety perfect-information game can be 
done in PTIME, whereas we have shown in O that in games with opacity condition, deciding whether a 
finite-state (and even memoryless) strategy of Gerald is winning is PSPACE-complete in the size of the 
arena and the memory of the strategy (we define in a classic way the size of the memory of a strategy 
as the number of states of an I/O automaton realizing the strategy J9l). The idea is that one has to check 
that the strategy is winning not in all positions, but in all information sets. Concerning the size of the 
memory needed for Gerald's strategies, we know that an exponential memory is sufficient because if 
there is a winning strategy there is a memoryless one in the powerset construction. The lower bound for 
the needed memory is still an open problem. 

7 Conclusion and perspectives 

Following lfl4l . we have extended the study of games with opacity condition. The opacity condition is 
an atypical winning condition in imperfect information arenas aiming at capturing security aspects of 
computer systems. Since games with opacity condition are not determined in general, two dual problems 
need being considered: the opacity-violate problem and the opacity-guarantee problem, focusing on the 
player who has imperfect information and on the player who has perfect information respectively. The 
latter problem is usually equivalent to solving the underlying perfect information game, which explains 
why it has never been considered; but the fact that our winning condition is based on information sets 
makes the problem relevant. For both problems, simple power-set constructions apply to convert such 
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games into perfect information ones, that can be solved in polynomial time, hence their upper bound is 
EXPTIME. On the contrary, the matching EXPTIME lower bound for the opacity-guarantee problem, 
where the main player has perfect information, was unknown until now and relies on an elegant reduction 
from the empty input string acceptance problem for linearly -bounded alternating Turing machines. The 
key point is to encode configurations by information sets. The reduction and its correctness proof are 
very technical, but we could provide an intuitive informal description. 

Finally, we focused on the particular case of blindfold games which offers specific results such as 
determinacy (Theorem [9]) and PSPACE-complete complexities (Theorem IT0l >. The main tool to obtain 
these results is the opacity-verify problem which addresses the question whether any strategy of Gerald 
is winning. The fact that blindfold games with opacity condition can be seen as one-player games makes 
this problem relevant and explains why it is equivalent to the opacity-guarantee problem and to the 
complement of the opacity-violate problem in the blindfold setting, as we established. We also proved 
that it is PSPACE-complete, by providing a PSPACE algorithm and a reduction from the nondeterministic 
finite automata universality problem. The opacity-verify problem is all the more interesting to consider 
that it naturally demonstrates how the paradigm of opacity condition embraces opacity issues investigated 
in the recent literature of Control Theory ifTTl l8l . 

Games with opacity condition open a novel field in the theoretical aspects of games with imperfect 
information by putting the emphasis on the player who has perfect information. From this point of view, 
plethora of questions need being addressed, among which their connection with language-theoretic is- 
sues (the synchronizing/directing word problem 10 [15] 5], controller synthesis to enforce the opacity of 
a language [ 8 ]), their logical foundations, and their algorithmic aspects. 



Acknowledgements 

We are very grateful to the reviewers for relevant comments and suggestions that significantly helped in 
highlighting the conceptual content of the paper. 

References 

[1] D. Berwanger & L. Doyen (2008): On the power of imperfect information. In: Proc. of FSTTCS. Citeseer, 
pp. 73-82. Available at |http : //drops . dagstuhl ■de/opus/volltexte/2008/l742| 

[2] Laura Bozzelli, Bastien Maubert & Sophie Pinchinat (201 1): Opacity Issues in Games with Imperfect Infor- 
mation. Technical Report PI-1978, IRISA. 

[3] Jan Cemy (1964): Pozndmka k. homogennym experimentom s konecnymi automatmi. Mat. fyz. cas SAV 14, 
pp. 208-215. 

[4] Jan Cerny, Alica Piricka & Blanka Rosenauerova (1971): On directable automata. Kybernetica 7, pp. 289- 
298. 

[5] A.K. Chandra & L.J. Stockmeyer (1976): Alternation. In: 17th annual symposium on Foundations of Com- 
puter Science. IEEE, pp. 98-108, doi jlO . 1109/SFCS . 1976T41 

[6] M. De Wulf, L. Doyen, T. Henzinger & J.F. Raskin (2006): Antichains: A new algorithm for checking 
universality of finite automata. In: Computer Aided Verification. Springer, pp. 17-30. 

[7] J. Dubreil (2009): Monitoring and Supervisory Control for Opacity Properties. Ph.D. thesis, Universite de 
Rennes 1. 



B. Maubert & S. Pinchinat & L. Bozzelli 



101 



[8] J. Dubreil, P. Darondeau & H. Marchand (2008): Opacity enforcing control synthesis. In: Discrete Event Sys- 
tems, 2008. WODES 2008. 9th International Workshop on. IEEE, pp. 28-35, doi jlO . 1 109/WODES . 20087] 
146059181 

[9] S. Dziembowski, M. Jurdzinski & I. Walukiewicz (1997): How much memory is needed to win infinite games? 
In: Logic in Computer Science, 1997. LICS'97. Proceedings., 12th Annual IEEE Symposium on. IEEE, pp. 
99-1 10, doi jlO . 1109/LICS . 1997 . 614939| 
[10] J.Y. Halpern & M. Y. Vardi (1989): 77ie complexity of reasoning about knowledge and time. I. Lower bounds. 
Journal of Computer and System Sciences 38(1), pp. 195-237, doi jlO . 1145/12130 . 12161[ 

[11] J.E. Hopcroft, R. Motwani & J.D. Ullman (2006): Automata theory, languages, and computation. Interna- 
tional Edition doi j 10.1 145/568438 . 568455[ 

[12] M. Jurdzinski (1998): Deciding the winner in parity games is in UP [intersection] co-VP. Information 
Processing Letters 68(3), pp. 1 19-124, doi jlO .1016/30020-0190(98)00150^11 

[13] D. Martin (1975): Borel determinacy. Annales of Mathematics 102, pp. 363-371, doi jlO .2307/19710351 

[14] B. Maubert & S. Pinchinat (2009): Games with Opacity Condition. In: Proceedings of the 3rd International 
Workshop on Reachability Problems. Springer- Verlag, p. 175, doij 10 . 1007/978-3- 642- 04420- 5_ 16[ 

[15] J.E. Pin (1983): On two combinatorial problems arising from automata theory. Ann. Discrete Math 17, pp. 
535-548, doi jlO. 1016/S0304-0208 (08) 73432-7| 

[16] J.H. Reif (1984): The complexity of two-player games of incomplete information. Journal of computer and 
system sciences 29(2), pp. 274-301, doij lO . 1016/0022-0000 (84) 90034^5] 

[17] A. Saboori & C.N. Hadjicostis (2008): Opacity- Enforcing Supervisory Strategies for Secure Discrete Event 
Systems. In: IEEE Conference on Decision and Control (CDC). Cancun, Mexico, pp. 889-894, doi:10. 
|1 109/CDC . 2008 . 47386461 

[18] Walter J. Savitch (1970): Relationships between nondeterministic and deterministic tape complexities. J. 
Comput. System. Sci. 4, pp. 177-192, doi jlO . 1016/S0022-0000( 70) 80006-Xl 

[19] L.J. Stockmeyer & A.R. Meyer (1973): Word problems requiring exponential time (Preliminary Report). In: 
Proceedings of the fifth annual ACM symposium on Theory of computing. ACM, pp. 1-9, doi:10.1145/ 
800125. 80402S 



